Archive for the ‘Internet’ Category
Posted by jpluimers on 2017/09/08
Some blacklist filters you can use on Mikrotik RouterOS devices:
You might consider to use these instead of action=drop:
–jeroen
Read the rest of this entry »
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 2 Comments »
Posted by jpluimers on 2017/09/01
For debugging purposes:
/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))
This will result in an answer like this:
13:43:59 l2tp,info first L2TP UDP packet received from 93.184.216.34
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in, 192.168.73.239
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda
Some links for when you cannot get connections to work:
Before digging deeper, check the output of settings like these:
/system logging add topics=ipsec
/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print
It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):
> /ip ipsec policy group print
Flags: * - default
# NAME
0 * default
1 pfs-modp1024
> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
> /ip ipsec remote-peers print
0 local-address=37.153.243.243 port=4500 remote-address=93.184.216.34 port=15390 state=established side=responder established=22m16s
> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address=93.184.216.34:15390 dst-address=37.153.243.243:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128
1 E spi=0xE0A95C3 src-address=37.153.243.243:4500 dst-address=93.184.216.34:15390 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128
In order to switch away from default as Policy Template Group, you will have to:
- add a new
IPSec group (in /ip ipsec policy group)
- add a new
IPSec proposal (in /ip ipsec proposal) with the same PFS group name as the policy group.
- add a new
IPSec policy (in /ip ipsec policy group) with (under General) the same group name as the policy group. *and* (under Action) the same proposal name as the proposal.
Some links on hardening IPSEC with DH algorigthm:
Miscellaneous links:
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/08/29
Some ideas for date and time calculation:
It should get better (and verifyable) implementations in stead of these Julian (not Gregorian!) date conversions:
Notes:
–jeroen
Posted in Algorithms, Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/28
Example:
/ip firewall filter export file=ip-firewall-filter.rsc
This exports the Filters parts of the IP Firewall into a file named ip-firewall-filter.rsc in the user-space root of the Mikrotik router file system that you can access through the Files menu entry in WinBox or by external access through FTP or SFTP (SSH File Transfer Protocol).
–jeroen
via: exporting firewall config – MikroTik RouterOS
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/22
The Cloud Router Switches support three types of mirroring. Port based mirroring can be applied to any of switch-chip ports, VLAN based mirroring works for all specified VLANs regardless switch-chip ports and MAC based mirroring copies traffic sent or received from specific device reachable from the port configured in Unicast Forwarding Database.
Port Based Mirroring
The first configuration sets ether5 port as a mirror0 analyzer port for both ingress and egress mirroring, mirrored traffic will be sent to this port. Port based ingress and egress mirroring is enabled from ether6 port.
/interface ethernet switch
set ingress-mirror0=ether5 egress-mirror0=ether5
/interface ethernet switch port
set ether6 ingress-mirror-to=mirror0 egress-mirror-to=mirror0
Source: Manual:CRS examples – MikroTik Wiki [WayBack]
This allows you to torch traffic from a specific port despite that port being grouped to a master-port.
Via: Torch not working with CRS226-24G-2S+ – MikroTik RouterOS [WayBack]
But, when using Bridge, all ports share a single 1 gbps link to the CPU, so your layer 2 performance will suffer horribly.
If you need to see all the traffic from a single port when using Master/slave port configuration, use port mirroring.
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/22
Found out about this a while ago:
MAC-Telnet – Open source MAC Telnet client and server for connecting to Microtik RouterOS routers and Posix machines via MAC address.
Source: haakonnessjoen/MAC-Telnet: Open source MAC Telnet client and server for connecting to Microtik RouterOS routers and Posix machines via MAC address. [Fork]
Background:
Earlier, I wrote about a Wireshark plugin for dissecting Mac-Telnet packets. Now I have created an open source application for connecting to a RouterOS router.
Source: RouterOS Mac-Telnet application for Linux users | Håkon Nessjøen [WayBack]
My previous post was about RouterOS Mac-Telnet application for Linux users where I talked about the MAC-Telnet client I created for Linux users.
Source: MAC-address based Telnet server in Linux | Håkon Nessjøen [WayBack]
–jeroen
Posted in C, Development, Internet, MikroTik, Power User, routers, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/14
Just in case you see UDP port 5678 in the firewall log of your MikroTik device: it’s usage of the MikroTik Neighbor Discovery Protocol (MNDP) [WayBack] protocol.
You can either block Neighbour Discovery [WayBack] in the firewall or turn it off on the MikroTik Services [WayBack] or inspect any of these protocols:
| Proto/Port |
Description |
| 20/tcp |
FTP data connection |
| 21/tcp |
FTP control connection |
| 22/tcp |
Secure Shell (SSH) remote Login protocol |
| 23/tcp |
Telnet protocol |
53/tcp
53/udp |
DNS |
| 67/udp |
Bootstrap protocol or DHCP Server |
| 68/udp |
Bootstrap protocol or DHCP Client |
| 80/tcp |
World Wide Web HTTP |
| 123/udp |
Network Time Protocol ( NTP) |
| 161/udp |
Simple Network Management Protocol (SNMP) |
| 179/tcp |
Border Gateway Protocol ( BGP) |
| 443/tcp |
Secure Socket Layer (SSL) encrypted HTTP |
| 500/udp |
Internet Key Exchange (IKE) protocol |
520/udp
521/udp |
RIP routing protocol |
| 646/tcp |
LDP transport session |
| 646/udp |
LDP hello protocol |
| 1080/tcp |
SOCKS proxy protocol |
| 1698/udp 1699/udp |
RSVP TE Tunnels |
| 1701/udp |
Layer 2 Tunnel Protocol ( L2TP) |
| 1723/tcp |
Point-To-Point Tunneling Protocol ( PPTP) |
1900/udp
2828/tcp |
Universal Plug and Play ( uPnP) |
| 1966/udp |
MME originator message traffic |
| 1966/tcp |
MME gateway protocol |
| 2000/tcp |
Bandwidth test server |
| 5246,5247/udp |
CAPsMan |
| 5678/udp |
Mikrotik Neighbor Discovery Protocol |
| 6343/tcp |
Default OpenFlow port |
| 8080/tcp |
HTTP Web Proxy |
| 8291/tcp |
Winbox |
| 8728/tcp |
API |
| 8729/tcp |
API-SSL |
| 20561/udp |
MAC winbox |
| /1 |
ICMP |
| /2 |
Multicast | IGMP |
| /4 |
IPIP encapsulation |
| /41 |
IPv6 (encapsulation) |
| /46 |
RSVP TE tunnels |
| /47 |
General Routing Encapsulation (GRE) – used for PPTP and EoIP tunnels |
| /50 |
Encapsulating Security Payload for IPv4 (ESP) |
| /51 |
Authentication Header for IPv4 (AH) |
| /89 |
OSPF routing protocol |
| /103 |
Multicast | PIM |
| /112 |
VRRP |
–jeroen
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Posted by jpluimers on 2017/07/27
Some links that were useful getting the SMS sending stuff to work.
The documentation is clear on what to do to send/receive SMS:
But it is unclear what USB hardware does work, so here are some links:
You can also do it the other way around:
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/07/26
Though the Mikrotik people seem reluctant to make the font size in Winbox configurable, if you run it through WineBottler on OS X, you can scale the individual app. It’s not very pretty but makes it easier to use.
The trick is based on the Windows DPI font settings explained for instance at DPI Display Size Settings – Change – Windows 7 Help Forums and Large Fonts in Registry: Where Exactly? | PC Review but then in Wine.
For Windows, this is a system wide setting, but on a WineBottler application there is one “Windows environment” per application, so it’s application specific and should work for other applications than WinBox as well.
It makes it much easier to do script editing now.
Steps I performed:
- Quit all WinBox instances
- Open a Terminal
- Open this file
/Applications/Winbox4Mac.app/Contents/Resources/system.reg
- Find this key and name=value:
- key
[System\\CurrentControlSet\\Hardware Profiles\\Current\\Software\\Fonts] 1460991918
- name=value
"LogPixels"=dword:00000060
- Change the name=value to be like this (scales to 133.3333333%)
"LogPixels"=dword:00000080
- Save the file
- Start WinBox
The value increases the DPI from 0x60 (96 DPI) to 0x80 (128 DPI) , but the WinBox software isn’t smart enough to scale a lot of other UI properties based on it (like controls dialogs, grid cell sizes and script editors).
So it takes a bit of experimenting what works well (on my system, dword:00000090 – or 144 DPI) which scales to 150% cuts off too much of the descenders).
Values I tried:
- dword:00000060
- dword:00000078
- dword:00000080
- dword:00000084
- dword:00000090
I got at this trick through [Wine] Screen font size then wading my way to find where system.reg was stored on my system.
TODO: dive into Fixing Windows font scaling without restarting | Marc Durdin’s Blog and see if other registry settings need to be applied as well.
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2017/07/19
I’ve not tracked down the cause yet, but these seem to be related:
- The Mac OS X build of Atom IO
- WinBox v 3.4 WineBottle version from Winbox for Mac in an embedded Wine environment – Joshaven.com
- pbcopy / pbpaste that allow command-line copy/pasting
- none of these being able to copy/paste any more and return error level 1 like terminal – pbcopy exits code 1, no error message – Ask Different but not even running tmux or screen which means this solution does not apply: ChrisJohnsen/tmux-MacOSX-pasteboard: Notes and workarounds for accessing the Mac OS X pasteboard in tmux sessions.
- I didn’t have Mouse Keys turned on
- Other applications (Chrome, FireFox, TextEdit, Finder, etc) still being able to copy/paste between each other
I’ve “fixed” 4. by doing this as recommended at osx – Copy and Cut sometimes don’t work – Ask Different:
launchctl list | grep com.apple.pboard
If the pboard daemon is running, then stop and start it. If it’s not running, start it:
launchctl stop com.apple.pboard
launchctl start com.apple.pboard
Now 4. works again if I restart each application, 6. still works, but these applications still cannot copy/paste to 1. 2. and 3.
What does work is a full reboot, but that takes a while (especially Chrome re-loading lots of Windows: I need to get more organised here).
It might be that I need to restart each application in 6.
Grrr…..
–jeroen
Posted in *nix, *nix-tools, Apple, atom editor, Hardware, iMac, Internet, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MikroTik, Network-and-equipment, OS X 10.10 Yosemite, OS X 10.11 El Capitan, OS X 10.9 Mavericks, Power User, routers, Text Editors, tmux | 4 Comments »
The Wiert Corner - irregular stream of stuff 
